Ready, Set, Cyberattack!

A U-M research team has shed new light on the importance of stealth and persistence in cyberattacks. The new wrinkle in these familiar concepts is their usefulness in determining the most advantageous timing for an attack. The researchers expect their findings to be beneficial to enterprises and other organizations in developing the next layer of defense.

By Richard Adhikari
01/14/14 2:42 PM PT

Advanced persistent threats and stealth malware attacks have been making the rounds for years. Now, University of Michigan researchers Robert Axelrod and Rumen Iliev have created a
mathematical model that, in essence, lays out the best time for nation-states to launch cyberattacks. Axelrod is a professor of political science and public policy at the university's Ford School of Public Policy, and Iliev is a post-doctoral student at the school.

The two looked at four case studies -- the Stuxnet attack on Iran's nuclear program; the cyberattack on Saudi Aramco; persistent cyberespionage carried out by the Chinese military; and economic coercion by China in a dispute with Japan.

Some Details of the Research

The model takes into account the stealth and persistence of a cyber-resource -- a means to exploit a vulnerability in a target's computer system.

The stealth of a resource is the probability that if it is used now, it will still be used in the future. Its persistence is the probability that if it is not used now, it will still be usable in the future.

The model uses both the duration and extent of an attack for estimating stealth. One benchmark is that the average duration of a zero-day attack is 312 days; for example, the Conficker worm infected about 370,000 machines over more than two months without being detected.

The benchmark for persistence used is that in a three-year period, only about 3-5 percent of the hundreds of vulnerabilities found in the Chrome and Firefox browsers were independently rediscovered. This would give a resource designed to attack those vulnerabilities a persistence rating of close to 1.0.

Well-protected systems with patches that are kept up to date reduce the advantages of stealth and persistence.

The thrust of the paper can be simply summed up thus: It's best to launch attacks when the enemy cannot handle them, or when the reward outweighs the risk of losing the resource.

Applications of the Factors

"While both persistence and stealth are desirable properties of a resource, they have opposite effects on the decision to use [it]," Iliev told TechNewsWorld. "If a resource is high on persistence but low on stealth, a rational attacker should not use [it] unless the stakes are very high."

How these factors affect the decision to launch an attack also depends on the attacker's purpose.

Criminals might have constant payoffs, which will motivate them to use a resource at once, Iliev said.

For large organizations and for governments, the stakes might be linear or exponential, and the model predicts that they should therefore exercise patience and hold off attacking until the best possible time.

But We Already Knew That!

Cybersecurity experts long have known that stealth and persistence are characteristics of successful cyberattacks.

Back in 2009, researchers at North Carolina State University published methods to block stealthy malware attacks. In November, financial institutions were being targeted by the stealthy Caphaw malware.

Advanced persistent threats have been in the lexicon of cybersecurity experts for years now.

"Noting that the required attributes are stealth and persistence is like telling me that repeated bludgeoning of a horse will not make it more dead," Randy Abrams, a research director at NSS Labs, told TechNewsWorld.

"Stealth and persistence are why the military calls them targeted persistent attacks," Abrams continued. "Persistence is only gained through stealth and resilience."

Formalizing the Issue

The notions of persistence and stealth have existed in one form or another, Iliev admitted.

However, "in this paper, we combine them into a single framework, which helps us to compute timing," he pointed out.

"Academics develop analytical models in order to try to predict attacks based upon patterns," Abrams continued. "Enterprises use layered defenses until academic research is productized, at which point the product becomes a new layer of defense."